CVE-2024-39370
Published: 14 January 2025
Description
An arbitrary code execution vulnerability exists in the adm.cgi set_MeshAp() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
Security Summary
CVE-2024-39370 is an arbitrary code execution vulnerability in the adm.cgi set_MeshAp() functionality of the Wavlink AC3000 router running firmware version M33A8.V5030.210505. The flaw arises from a specially crafted HTTP request that can lead to arbitrary code execution, classified under CWE-120 (Buffer Copy without Checking Size of Input). It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact effects across confidentiality, integrity, and availability.
An attacker requires high privileges (PR:H) to exploit this vulnerability via an authenticated HTTP request to the affected component. Successful exploitation enables arbitrary code execution on the device, with network vector (AV:N), low complexity (AC:L), no user interaction (UI:N), and scope change (S:C), allowing full compromise of the router's security.
Mitigation details are available in the Talos Intelligence advisory TALOS-2024-2031 at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2031. Security practitioners should consult this report for recommended patches or workarounds specific to the Wavlink AC3000 firmware.
Details
- CWE(s)